valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,513 Commits 20 Branches 25 Tags 21 MiB
d62bc41bfb
Commit Graph

335 Commits

Author SHA1 Message Date
sbousseaden
32c6b34746
Create sysmon_lsass_memdump.yml 2019-04-03 13:51:59 +02:00
sbousseaden
ddb2d92a98
Create sysmon_tsclient_filewrite_startup.yml 2019-04-03 13:19:59 +02:00
Tareq AlKhatib
783d8c4268 Reverting back to regular Sysmon 1 to fix CI test 2019-03-09 21:31:56 +03:00
Tareq AlKhatib
075df83118 Converted to use the new process_creation data source 2019-03-09 20:57:59 +03:00
Yugoslavskiy Daniil
05cc7e455d atc review 2019-03-06 05:25:12 +01:00
yugoslavskiy
725ab99e90
Merge pull request #1 from AverageS/master 
Fix rules
 2019-03-06 04:31:01 +01:00
Wydra Mateusz
534f250c35 Merge branch 'master' of https://github.com/krakow2600/sigma 2019-03-06 00:45:16 +01:00
Wydra Mateusz
bb95347745 rules update 2019-03-06 00:43:42 +01:00
mrblacyk
07807837ee Missing tags 2019-03-06 00:02:37 +01:00
mikhail
be108d95cc Merge branch 'master' of https://github.com/AverageS/sigma 2019-03-06 01:57:38 +03:00
mikhail
40241c1fdf Fix 4 rules 2019-03-06 01:56:05 +03:00
mrblacyk
99595a7f89 Added missing tags and some minor improvements 2019-03-05 23:25:49 +01:00
Thomas Patzke
6bdb4ab78a Merge cleanup 2019-02-27 22:05:27 +01:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Thomas Patzke
58a32f35d9
Merge pull request #246 from james0d0a/master 
Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml
 2019-02-24 16:53:49 +01:00
Tareq AlKhatib
7d3d819ea5 Added a detection path through process spawn 2019-02-24 10:29:58 +03:00
Tareq AlKhatib
a022333382 Added private IP filter to reduce FPs 2019-02-23 21:15:03 +03:00
Florian Roth
d3b623e92a Rule: suspicious pipes extended 
https://github.com/Neo23x0/sigma/issues/253
 2019-02-21 13:26:48 +01:00
Florian Roth
343a40ced7 Rule: extended exec location rule to support 4688 events 2019-02-21 13:26:48 +01:00
Florian Roth
f0a4aede24 Rule: RDP over Reverse SSH Tunnel 2019-02-16 19:36:13 +01:00
Tareq AlKhatib
cd3cdc9451 Removed unnecessary '1 of them' in condition 2019-02-13 21:26:02 +03:00
Florian Roth
8d819cfeea Rule: fixed bug in Renamed PowerShell rule 2019-02-13 13:23:02 +01:00
james dickenson
b16bb4bf9b Added esentutl copy command to sysmon_susp_vssadmin_ntds_activity.yml 2019-02-11 21:10:49 -08:00
Florian Roth
be26ada875 Rule: Suspicious csc.exe parents 2019-02-11 13:50:51 +01:00
Thomas Patzke
d43e67a882 Merge branch 'development' of https://github.com/yt0ng/sigma into yt0ng-development 2019-02-10 00:00:45 +01:00
Thomas Patzke
d9aceeb7eb
Merge pull request #228 from keepwatch/ssp-regkey-detection 
SSP added to LSA configuration
 2019-02-09 23:44:55 +01:00
Florian Roth
efb223b147
Merge pull request #245 from kpolley/master 
2nd method to call downloadString or downloadFile in Powershell
 2019-02-09 09:35:19 +01:00
Florian Roth
7e732a2a89
Merge pull request #232 from TareqAlKhatib/duplicate_filters 
Duplicate filters
 2019-02-09 09:23:57 +01:00
Kyle Polley
c8c06763b4 added keywords & source to sysmon_powershell_download.yml 2019-02-07 18:25:04 -08:00
keepwatch
e6217928f3 Added '/' prefix, -encode switch, better renamed certutil coverage 2019-02-06 10:45:32 -05:00
Unknown
2f66ba25f0 adjusted MITRE ATTCK tag 2019-02-06 11:27:51 +01:00
Unknown
4d048c71bb adjusted spaces 2019-02-06 11:10:42 +01:00
Unknown
54ec01bcdd adjusted space 2019-02-06 11:10:00 +01:00
t0x1c-1
150499d151 Detects Executables without FileVersion,Description,Product,Company likely created with py2exe 2019-02-06 10:58:37 +01:00
t0x1c-1
21f34ab8ba suspicious behaviour 2019-02-06 10:52:41 +01:00
keepwatch
bad80ffa78 Update sysmon_ssp_added_lsa_config.yml 
Syntax fix
 2019-02-05 16:28:06 -05:00
Florian Roth
8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
Thomas Patzke
3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke
6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Florian Roth
c9ec469180 style: cosmetics - removed empty lines at file end 2019-01-29 12:54:07 +01:00
Tareq AlKhatib
7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Thomas Patzke
9ce7d18712
Merge pull request #231 from TareqAlKhatib/rule_testing_framework 
Rule testing framework
 2019-01-23 23:16:46 +01:00
Tareq AlKhatib
ecffe28933 Correct MITRE tag 2019-01-22 21:26:07 +03:00
Florian Roth
cc6e0baef1 rule: extended certutil rule to include verifyctl and allows renamed certutil 
https://twitter.com/egre55/status/1087685529016193025
 2019-01-22 16:20:06 +01:00
keepwatch
f99df33b01 SSP added to LSA configuration 2019-01-18 14:05:21 -05:00
Thomas Patzke
96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Florian Roth
f759e8b07c Rule: Suspicious Program Location Process Starts 2019-01-15 15:40:51 +01:00
Thomas Patzke
a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Florian Roth
604d88cf1e Rule: WMI Event Subscription 2019-01-12 12:03:36 +01:00
Florian Roth
63f96d58b4 Rule: Renamed PowerShell.exe 2019-01-12 12:03:36 +01:00